Hugo Mills wrote:
>
> Ubuntu definitely *is* affected[1].
>
> As far as I can tell, the best way of fixing your ssh keys is:
>
> - Install the update
> - Delete the following files:
> ~/.ssh/id_*
> ~/.ssh/authorized_keys
>
Did that.
> /etc/ssh/ssh_host_dsa_key*
> /etc/ssh/ssh_host_rsa_key*
> - Generate new host keys:
> sudo dpkg-reconfigure -plow openssh-server
> (Thanks to Adrian for pointing out the easy way)
>
Looks like all of the above is effectively taken care of by bringing in
the new packages in Ubuntu Hardy, since all of the files in question
seem to have been renamed '<file>.broken' and replaced with new ones
that have a time stamp that ties in with the upgrade.
> - Generate new personal keys:
> ssh-keygen -t rsa -b 4096
> - Restart the ssh daemon
>
The upgrade process in Hardy recommends a restart but I suspect that
this is to facilitate this in terms regular users will understand.
> Do this on all machines. Don't log out after deleting the host keys
> (in /etc/ssh) as you won't be able to log back in by ssh.
>
> As a precaution, I've also been regenerating the DH key exchange
> moduli, which are kept in /etc/ssh/moduli. That's documented near the
> bottom of the ssh-keygen man page.
>
> I haven't looked at the X.509 situation yet.
>
> Hugo.
>
> [1] http://www.ubuntu.com/usn/usn-612-1
Thanks for the info Hugo - it certainly made the process of sorting my
little network out simpler.
Sean
